BYOD - All Articles - CISO Platform2024-03-28T10:01:02Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/BYODIncident Response Sample Policy(BYOD)https://www.cisoplatform.com/profiles/blogs/incident-response-sample-policy-byod2015-07-31T14:00:00.000Z2015-07-31T14:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><div>Some major sections under BYOD Policy can be as:</div>
<div><ul>
<li>Acceptable Use Policy</li>
<li>Supported Devices</li>
<li>It Staff & Support Provided</li>
<li>Costs & Reimbursements</li>
<li>Security Controls</li>
<li>Ownerships & Liabilities</li>
<li>Disclaimers</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Acceptable Use Policy</span></div>
<div class="O1"><ul>
<li>Define activities acceptable on the Device eg.Reading,Surfing web.<br /> Unacceptable browsing vulnerable sites</li>
<li>Define activities acceptable during office hours of work. <br /> Any recreation can be unacceptable, relaxations must be specified</li>
<li>Block/Blacklist websites that cannot be accessed<br /> Blocking should be automated and specified<br /> The website must be specified as(not limited to though):<br /> Website1,Website2...</li>
<li>Media capture capabilities eg.camera/video must be limited and specified<br /> Not permitted within sensitive zones of company data displays</li>
<li>Device must at any time not be used for any storage,transfer,illegal activities of company data of any kind</li>
<li>Acceptable list of applications<br /> Specify the whitelisted list<br /> Specify the blacklisted list</li>
<li>Devices may use particular protocol to access any company resource<br /> Specify protocol and steps<br /> Any violations must be blocked automatically</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Supported Devices</span></div>
<div class="O1"><ul>
<li>Device OS acceptable eg.Android,Apple i-OS,Blackberry<br /> Mention complete list</li>
<li>Samrtphones/Tablets/PDAs acceptable-eg.Apple,Blackberry etc.</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">IT Staff & Support Provided</span></div>
<div class="O1"><ul>
<li>Device hardening is mandatory before connecting to company network/other resourse</li>
<li>Support for any connectivity issues will be handled by IT staff</li>
<li>No third party can make changes to device without prior permission from IT staff</li>
<li>IT Staff shall provide all company acceptable business productivity apps or resources on device</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Costs & Reimbursements</span></div>
<div class="O1"><ul>
<li>On loss of device/damage, the company is not liable of reimbursements.<br /> If company will reimburse, the amount or percentage of cost to be paid</li>
<li>Device data plans or allowances the company may want to pay<br /> Roles of employee to avail this facility</li>
<li>Reimbursements are not available for following:<br /> Specify list eg. Loss of device, Personal calls, Roaming etc.</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Security Controls</span></div>
<div class="O1"><ul>
<li>Mandate password protection of device and autolock</li>
<li>Mandate strong password policy for access to Company Data and lock under any misuse<br /> Specify password details eg. 12character password with atleast 2 numbers and 1 special character</li>
<li>Jailbroken or Rooted devices are banned<br /> Specify full list for acceptable OS</li>
<li>Prohibition of any resource(apps) including downloads/installation for blacklisted resources<br /> Should be automated</li>
<li>Personal use only devices may never be connected to company networks<br /> Monitor and allow only devices that help business grow</li>
<li>Identify the device and access to company data should be role based</li>
<li>Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances</li>
<li>Employee must be specified deadline to report loss of mishandling of device eg. 24hours</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Ownerships/Liability</span></div>
<div class="O1"><ul>
<li>Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances</li>
<li>Loss/damage of device must be reported within short notice eg. 24hours</li>
<li>Device damage and reporting to bank or service provider authorities is responsibility of employee</li>
<li>Any device not following user acceptable policy may be disconnected from company networks</li>
<li>Company at any time reserves rights to allow/disallow devices connecting</li>
<li>Company also reserves rights to ban the policy under any requirements</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-4">Disclaimers</span></div>
<div class="O1"><ul>
<li>Device owner remains liable of all the data (personal/company) and its loss or misuse</li>
</ul>
</div>
<p></p>
<div class="O1"><span class="font-size-5">Policy Framework & Basics-</span></div>
<div class="O1"><ul>
<li>Specify every detail possible</li>
<li>Define the scope,authority and role of the policy</li>
<li>Should not be ambiguous or doubly interpretative</li>
<li>Clearly state the control the IT Staff have</li>
<li>Specify each step of control or response expected on any party</li>
<li>Specify Mandates</li>
<li>Clearly specify steps to recover</li>
<li>Train your staff to have a fair idea of the policies</li>
<li>Specify the steps of communication and reporting, also each authority & roles</li>
<li>Specify related legal stakes</li>
<li>Specify controls on Media & Data, access denied and allowed</li>
</ul>
</div>
<p></p>
<p>Reference</p>
<p>1.Incident Response by Leighton R. Johnson</p>
<p></p>
<div class="O1"><span class="font-size-3"><em>What are the critical areas incorporated in your BYOD Incident Response Policy? Share your thoughts in comments below</em></span></div>
<div class="O1"></div></div>Top 5 'Mobile Security' talks from Black Hat Conference 2016 (USA)https://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference2016-12-05T12:30:00.000Z2016-12-05T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span style="font-size:12pt;">Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. </span></p>
<p><span class="font-size-3">Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).</span></p>
<p><span class="font-size-3" style="color:#333333;">(Source: Black Hat Conference USA 2016)</span></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669809279,original{{/staticFileLink}}" class="align-full" alt="8669809279?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1">image courtesy: <a href="https://www.flickr.com/photos/jasonahowie/7910370882">https://www.flickr.com/photos/jasonahowie/7910370882</a></span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/1000-ways-to-die-in-mobile-oauth-black-hat-conference-2016" target="_blank">1) 1000 ways to die in mobile oauth</a></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Eric Chen, Yutong, Yuan Tian, Shuo Chen, Robert Kotcher, Patrick Tague</span></p>
<p><span class="font-size-3">In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/1000-ways-to-die-in-mobile-oauth-black-hat-conference-2016" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669804484,original{{/staticFileLink}}" class="align-full" alt="8669804484?profile=original" /></a></p>
<p></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/behind-the-scenes-with-ios-security-black-hat-conference-2016" target="_blank">2) Behind the scenes with IOS security</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Ivan Krstić</span></p>
<p><span class="font-size-3">We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.Data Protection is the cryptographic system protecting user data on all iOS devices.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/behind-the-scenes-with-ios-security-black-hat-conference-2016" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669807700,original{{/staticFileLink}}" class="align-full" alt="8669807700?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1"><span> </span></span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/bad-for-enterprise-attacking-byod-enterprise-mobility-security-so" target="_blank">3) Bad for Enterprise: Attacking BYOD enterprise mobility security solutions</a></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Vincent Tan ( <a href="https://twitter.com/vincent_tky" target="_blank">@vincent_tky</a> )</span></p>
<p><span class="font-size-3">Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against EMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, ""We do not support jailbroken devices.""</span></p>
<p><span class="font-size-3">Whether you are a CxO, administrator or user, you can't afford not to understand the risks associated with BYOD.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/bad-for-enterprise-attacking-byod-enterprise-mobility-security-so" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669805458,original{{/staticFileLink}}" class="align-full" alt="8669805458?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1"> </span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/samsung-pay-tokenized-numbers-flaws-and-issues-black-hat" target="_blank">4) Samsung pay: tokenized numbers flaws and issues</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Salvador Mendoza ( <a href="https://twitter.com/netxing" target="_blank">@Netxing</a> )</span></p>
<p><span class="font-size-3">Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the most secure approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/samsung-pay-tokenized-numbers-flaws-and-issues-black-hat" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669807677,original{{/staticFileLink}}" class="align-full" alt="8669807677?profile=original" /></a></p>
<p><span class="font-size-1"><br class="Apple-interchange-newline" /> </span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/the-art-of-defence-how-vulnerabilities-help-shape-security-featur" target="_blank">5) The Art of defence: How vulnerabilities help shape security features and mitigations in android</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Nick Kralevich</span></p>
<p><span class="font-size-3">In this talk, we will cover the threats facing Android users, using both specific examples from previous Black Hat conferences and published research, as well as previously unpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability, as well as newly added Android N security features which defend against future unknown vulnerabilities. Finally, we'll discuss where we could go from here to make Android, and the entire computer industry, safer.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/the-art-of-defence-how-vulnerabilities-help-shape-security-featur" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><a href="https://goo.gl/hfszfM" target="_blank"><img src="http://i67.tinypic.com/zw0wgz.png?width=750" width="750" class="align-center" alt="zw0wgz.png?width=750" /></a></span></p>
<p><span class="font-size-6"><a href="https://goo.gl/ZyzyKF" target="_blank">Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)</a></span></p>
<p><span class="font-size-3">Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.<br /> <br /></span></p>
<p><span class="font-size-4"><strong><a href="https://goo.gl/ZyzyKF" target="_blank">>>Click Here To Get Your FREE Guide</a></strong></span></p>
<p></p>
<p></p></div>